Data Protection in Financial Technology Services ( A Study in Indonesian Legal Perspective )

The banking sector is facing a new competitor, namely Financial Technology (Fintech). Fin-tech itself can be described as an industry composed of companies using a new technology and innovation with available resources in order to compete in the marketplace of traditional financial institutions and intermediaries in the delivery of financial services. In Indonesia, Fin-tech has been widely developed since the past 3 years. Fin-tech faces a new challenge as a new service for financial consumer which adapts to new ways of living in modern digital technology era. Basically, Fin-tech offers three main categories such as payment, personal finance, and financing. In financing application there are peer to peer financing, social crowd funding, and loan marketplace. All of these kinds of application have some issues in legal framework and data protection due to the use of communication technologies such as internet, social networks, Smartphone, massive use of data with the Big Data, connected objects, etc. The use of big data and those new technologies create new opportunities for these sectors, and this development also raises significant data protection concerns. This paper discusses two legal issues of Fintech, the legal aspect, and the data protection.


INTRODUCTION
Currently the financial sector has been facing a new model of technology called fin-tech.Fin-tech is an abbreviation derived from Financial Technology-a terminology that combines between financial and information technology.So far there has been no consensus amongst scholars regarding the fintech definition.Although there is no common definition on Fin-tech, there are similarities that can be drawn from some opinions; Fin-tech is a new financial industry that applies technology to improve financial ISSN Print: 2541-5298 ISSN Online: 2541-6464 [82-92]     Dian Purnama Anugerah and Masitoh Indriani Sriwijaya Law Review  Vol. 2 Issue 1, January (2018) [ 83 ]   activities 1 .Although the word fin-tech is something new, but in fact this term describes a relationship that has long existed.The early relation between financial and technology has been started since 50's when credit card was introduced to ease the burden of carrying cash.Then in the 1960's, the ATM (Automatic Teller Machine) was introduced to substitute tellers and branches 2 .In 1990, the use of internet began changing the way of life.Financial services industry offer services based on information technology.Since 2008, financial services have been no longer dominated by the traditional regulated financial services industry.New startup and established technology companies began to offer financial product and services directly to the business and general public 3 .The convergence between startup business trends and modern fin-tech has brought a new era of financial service development from traditional financial system (bank driven) to consumer driven.
According to Indonesia Internet Service Provider Association (APJII), per January 2017, the total number of the internet users in Indonesia was 132.7 million with internet penetration around 51.8%.As many as 63.1 million of them access the internet by using 1 Schueffel, P. Taming the Beast: A Scientific Definition of Fintech.Journal of Innovation Management, 2016, p45. 2 Desai, F. The Evolution of Fintech: https://www.forbes.com/sites/falgunidesai/2015/12/13/the-evolution-offintech/#71e09ed17175, [retrieved: August 4,  2016]. 3Arner, D., Barberis, J., & Buckley, R.. The Evolution of Fintech : A New Post-Crisis Paradigm?New Sout Wales: University of New South Wales, 2016.mobile phones4 .The widespread use of the internet, especially using mobile phones becomes the dominant factor in the number in internet users in Indonesia.Most mobile phone users are young people who want everything easy and instantaneous.Meanwhile, the number of Indonesian adults who have savings accounts is only 36% of the population and around 49 million SMEs unit not yet bankable5 .There are several reasons why Indonesians are reluctant to have a bank account.First the procedure related to banking is so complex; second the lack of access to banking in the region; third, the lack of knowledge of banking products, etc.These facts contributed to the emerging of fin-tech startups in the past three years.Fintech startup appears to fill the gap due to a low penetration level of the banking institution and increasing public interest to have banking services in hand.
Up to July 2017, a total of 180 startup fin-techs operated in Indonesia.Considering this situation, the Indonesian government responded quickly to this phenomenon.The Indonesia Financial Service Authority (OJK) and Indonesian Central Bank (BI) issued new regulations regarding fin-tech service.Although not directly address fin-tech specifically; however, these regulations at least provide an opportunity for fin-tech to flourish.This means that the government responded to this situation well

ANALYSIS AND DISCUSSION
[ 85 ] Indonesia Financial Service Authority (OJK) divides fin-tech start up into five categories.First, the fin-tech is engaged in payment, transfer, and remittance.Second, fin-tech of financing is divided into two, namely equity-basedcrowd funding and loan-based funding.Third, fin-tech financial management provides convenience for people for investing or managing finance.Fourth, fin-tech is engaged in insurance.Fifth, fin-tech is engaged in the marketplace lender and supporting7 .
The third, fourth and fifth models are only services that emphasize the information and supporting system.But the first and second models already involve a quite complex legal relationship.Therefore, OJK and BI immediately issued regulations to anticipate the development of those services.The following would discuss the legal relationship and the parties involved in the peer to peer lending (P2P) model and payment gateway system.

Peer-to-Peer Lending System
The term 'peer-to-peer' describes the interaction between two parties without the need for a central intermediary.The beginning of P2P in finance can be traced when a company from the United Kingdom, namely Zopa launched in 2005 and the US-based Prosper in 2006.Both facilitated peerto-peer lending in which borrowers and lenders could bypass banks and deal directly with each other through an online marketplace8 .In peer to peer lending, the fin-tech start up does not operate like a bank.It does not function as an intermediary institution.This means that a fin-tech start-up does not collect and distribute public funds.It will act as a marketplace or platform to bridge the lender and borrower.It complies with the Banking Act (the Act No. 10 of 1998) that prohibits any entity other than a bank to serve to collect a funding as a saving and distribute it as a credit.However, both parties need to obey the regulation set by the platform.The P2P start-up will analyze the risk to make sure that the operation complied with the authority regulation and secured the data of both parties.
Article 1 (3) POJK No.77/POJK.-01/2016:"Money Lending Services Based on Information Technology is a financial service to match between lenders and borrowers in order to create money loan agreements in rupiah currency directly through electronic systems using the internet network." Pursuant to that article, this P2P service has a different character from the money lending service performed by a bank.Not to be confused, there are some banks that also have money loan services through the internet media, but it is different from the P2P model.In P2P model the money lent comes directly from fellow users of the fin-tech service.So in this model, the fin-tech application serves as a platform or a marketplace where application users use the service with their different roles (borrower or lender).
The parties involved in P2P is divided into three categories, namely Service Provider (Platform), Borrower, and Lender (Investor).The Article 8 of the POJK stipulates that there are two legal relationships in the P2P system.The first is a legal relationship between the fin-tech startups and users of the application.In this case, it might be a borrower or a lender.The second is a legal relationship between the borrower and lender itself.However, in POJK the regulation does not specify the kind of agreement in each relationship, especially the one between a provider and a lender whether it is to involve the trustee or power of attorney in their service agreement.
Why determining legal relationship becomes very important is due to the fact that the P2P lending is a highrisk instrument.In P2P the heaviest burden is to regulate the legal relationship between a provider and a lender.The worst scenario that can be suffered by the lenders is when a borrower is a default.The lender has no guarantee that his money will return (unsecured creditors).Who has liability in this condition depends on the agreement, whether or not the provider is jointly liable for the debt incurred.The join liability may arise when the service provider fails to care for performing a risk analysis of the borrower.In some situation, a service provider can act as a collecting agency on behalf of a lender.Under the Articles 19 and 20 of POJK, OJK does not regulate the P2P agreement specifically.OJK only regulates the minimum standard of an electronic document that has to be made in each agreement.One of the crucial things is concerning a dispute settlement procedure.

Internet Payment Gateway System
There are three categories of Internet Payment Gateway (IPG), i.e. based on the money flow, based on the sources and based on the payment channel.The former means the payment is made from a customer account to a merchant account directly or through IPG aggregator accounts that keep the money temporarily.The second means the payment derives from hard cash, credit cards, debit cards, e-money, personal bank accounts, corporate saving accounts, micro loan accounts, and commercial loan accounts.The latter means the payment derives from agents, including a point-of-sales system and gadget-based channel system, or without agents 9 .
The payment model discussed in this paper is the gadget-based channel system.This model is different from the offline system established before.The offline system relies on a payment tool such as credit card, e-money card, or any other card requiring Electronic Data Capture (EDC) machine.Now fin-tech startup has developed an online payment system that no longer uses a conventional tool like the use of cards.It has an application of mobile phone platform (android/IOS) and is integrated with online and offline merchant accounts.Most of the gadget-based payment systems have emoney/e-wallet models.It is not only occupied by fin-tech startups (iPaymu, DOKU, Dimo, Fastpay) but also developed by online marketplaces (Bukadompet by Bukalapak), and mobile phone operators (T-cash by Telkomsel, XL Tunai by Excelcomindo, Dompetku by Indosat Oreedo).
The gadget-based payment system is accommodated in the PBI No. 18/40/PBI/2016 of Article 1 (6) stipulating that "Payment Gateway is an electronic service that allows merchants to process transactions payment by using payment tool using cards, electronic money, and/or proprietary channel." Moreover, Article 1 (7) defines the electronic wallet as an electronic service to store data of payment instruments between other means of payment by using the card and/or electronic money, as well as accommodated funds to make payments.
Under the Article 2 of PBI No. 18/40/PBI/2016, the payment service can be conducted by providers of payment system services and providers of payment system support services.Furthermore, PBI No. 18 states that a provider of payment system service is Bank or any Non-Bank Institution that organizes service payment system activities.Meanwhile, the provider of payment system support services is the party providing the Service to the providers of payment system services to support the implementation of payment system service activities.
IPG providers must have a license issued by the Indonesian Central Bank prior to their operation.The obligation to have a license is mandatory for the e-wallet providers when the active users have reached or are planned to have reached the amount of at least 300,000 (three hundred thousand) users.They are also requested to grant an approval from the Indonesian Central Bank in regard to the development of services, development of product and activity, and co-operation with other parties.

Data Protection and Privacy
Meanwhile, since Fin-Tech involves the consumer database particularly on how the consumer data are being processed, there are many threats including the integrity of the consumer data and also their privacy.The following are the descriptions of how such threats may appear, the response on PBI and POJK, and the questioning of how these two regulations are able to protect consumers' data and their privacy on Fin-Tech services.
The technology used in Fin-Tech is commonly called as Blockchain.It is a database or a ledger that maintains a continuously growing list of data records or transactions 10 .In a nutshell, Blockchain is a new tool to transmit and encrypt any kind of transaction on the web which has a centralized authority to validate the action.The transmitting and encryption work by processing the database.Nowadays, to show how enormous the database is used by the technology-based start-up including Fin-Tech, it is no longer as 10 Mykhaylo.Applications of Blockchain Technology in Fintech, https://www.romexsoft.com/blog/blockchaintechnology-in-fintech/,[retrieved: January 3 rd , 2017].
[ 88 ] Sriwijaya Law Review  Vol. 2 Issue 1, January (2018)   simple as the collection of database nonetheless big data.The main characteristics of big data are very large, high of data rates and data types.The issue refers to collecting, processing and analyzing.
Therefore big data not only provide benefits for individual and business entities but also lead to legal problems if they are not managed properly.One of the legal issues of big data is data security.11This issue is related to the rampant level of hacking or other cyber-crimes committed by irresponsible individuals.In addition, there is also an issue of data ownership or intellectual property rights over the data because there is no certainty of the concept explaining the ownership of the data.Another legal issue is privacy protection.Data are certainly inherent in the information referring to the privacy of the subject's data.Therefore, massive processing of big data in various jurisdictions results in the privacy of subject data to be possibly recognized easily.
Regarding the Fin-tech service providers, the risk of how the data should be treated can be seen in the centralized authority comprising the steps of collecting, processing and analyzing.Even though the technology used in Fin-tech such as Blockchain technology is able to encrypt some actions on the web, there is still a potential threat in cyberspace.The cyber risk and cyber security are the main issues concerning consumer's data protection.Cyber-attacks can be the potential threat to system or data confidentiality, integrity, and availability.Moreover, those potential cyber-attacks become widely more frequent and costly for societies.And this financial sector is one of the prime targets of the cyberattacks because it represents where the money is or it becomes a symbol of capitalism that leads to cyber-attacks that might have some political motivations. 12herefore, in the concept of data protection associated with the mitigation of the risk, it should accommodate how to identify, to protect, to detect, to respond, and to recover consumer data.Thus the provider of Fin-Tech services should comply with such principles.At least there are three issues on data security, i.e. its integrity, confidentiality, and availability.
The attack on data integrity in Fintech service will affect the subject data accuracy, in this case, it is the Fin-Tech user.The data may encounter what the so-called a failure system that leads to the changing of data ownership or destroying the information itself.As a result, the financial data or simply one of the personal information may be used illegally.
Besides attack on its integrity, Fin-Tech users also may have the attack on data confidentiality.This attack occurs when an unauthorized person accesses and uses such sensitive data transform and the most credential data of Fin-Tech user to commit fraud or identity [ 89 ]   theft for having benefited from Fintech services either the lending system or the payment scheme.Last, the issue on the data availability of which the Fin-tech service provider may encounter disruption or delay in its operation system.Some Fin-Tech service providers may use different technology and different internet provider.The failure system on how the data should be available to be accessed by Fin-Tech in real time will significantly support the cycle of execution of trades or another online financial activity.Otherwise, it will encounter loss for this kind of online business especially the online transaction.
While the issue on consumer's privacy may be seen on the dependency on how data are processed by the Fintech service providers resulting in an algorithm that may be used for further prediction on consumer's online behavior.The algorithm itself is able to show the consumer's movement on the web.As a result, it can be analyzed to predict the consumer behavior in the future.
In this regards, the movement of the consumer can be seen by the supporting of cookies technology.Data producing activity recorded by cookie technology is used in Fin-Tech services or other media attached to the Internet network.It is often used by the sellers and online service providers to capture the opportunity that there is an online activity of consumers with particular preferences. 13This preference is collected by categorizing some personal data of consumers who have done various searches related to the products offered on various platform online marketplace systems.
On the other side, recording personal data from these consumers makes it easy to recognize the consumer profile by selling exactly desired products and without effort.Furthermore, the cookie technology used for the providers of the online marketplace system platform for the collection of various kinds of individual product search preferences is used as a database and interest of the potential customers and knowledge for the providers of online marketplace system platforms and other online services.This is referred to as the collection and use of personal information for marketing purposes14 .Terribly, the consumers do not know nor realize that their personal data have been collected for business purposes.Thus this kind of collection data activity of personal data leads to privacy violation.
Data protection is generally defined as a regulation designed to protect personal information whether or not it is collected, processed and stored which is intended to be part of a filing system.Personal Data Protection is an effort and means of providing a legal certainty guarantee to individuals related to the utilization of personal data.Furthermore, Personal Data is any information relating to the identification or identification of a person's data subject either directly or indirectly, in whole or in part based on the identifi- cation of numbers or one and / or some special factors such as physical appearance, psychic, economic circumstances, as well as social and cultural identity.
In the delivery of Fin-tech services, the protection of consumer personal data is important in order to build consumer confidence.In Indonesia, the provision of protection against personal data is not yet able to answer about comprehensive arrangements.Referring to the Constitution itself, it is not explicitly regulated on the protection of data, but rather explicitly regulates the protection of human rights whereby the inadvertence is concerned with personal data or information.But it can be implicitly found in Articles 28 F and 28G (1) regulating the freedom of storing information and protection of personal data or personal information that extends to that data.
As argued by Rosadi, the principles of data protection related to consumer privacy should be fulfilled by the service providers in order to protect their rights on the highest level15 .Those principles are collection principle, restriction principle, data quality principle, goal specification principle, security measure principle, openness principle, individual participation, and accountability principle.Further, both PBI and POJK merely focus on how the mechanism should be fulfilled by the providers but neglecting the role of user or consumer as an individual whose rights should be fulfilled and how their privacy is protected as guaranteed by the Constitution and related regulations.
Focusing on this issue, on the PBI, the principles of data protection can be found in Section 5 Article 24 (2) and Article 25.Those principles are rights to be informed, justice, reliable, transparent, personal data protection and dispute resolution mechanism.Why is it considered as an adequate level?The principle of a national application on data protection may meet 7 principles: 1) collection and limitation principle, 2) data quality principle, 3) purpose of specification principle, 4) use of limitation principle, 5) security safeguard principle, 6) openness of principle, and 7) individual participation principle.These principles should be portrayed on its every level on the article that contains data protection.In fact, there is no further elaboration on how the consumer should be informed on how their data will be processed and used by the Fin-tech provider.Yet, the participation of consumer might appear to be involved in the processing level.
While in POJK, the principle of data protection emphasizes on data mitigation since it contains how the provider should provide data center as stated in the Article 25.However, the data mitigation is not sufficient since there is an absence of the rights of the consumer to know their individual participation particularly on how their personal data will be processed and used in the future.Regarding the principle openness, the consumer might also encounter the absence of the role of the data processor and the extent of the [ 91 ]   participation of the consumer regarding their personal data.
Another response of the Indonesian Government related to personal data is also found in the Regulation No.In accordance with such regulations, the P2P provider, however, should not only comply for the protection of personal data and their consumer's privacy in every level of data processing such as collecting, analyzing, storing, opening, and removing, but also be able to provide an access to those at every level of processing.Furthermore, providing internal regulation on data protection is stated in the Article 5 (1) of the Regulation of the Ministry of Information and Communication Number 20 of 2016 16

CONCLUSION
The approach by Indonesian authority regarding fin-tech start-up especially P2P lending and IPG adopts the Regulatory Sandbox model.However, the implementation of the regulatory sandbox model lacks a minimum restriction regarding the risk exposure for consumers and there is no limit to when this regulation will apply for fin-tech start-up.Simultaneously, the development of Fin-tech services in Indonesia faces a new challenge particularly to 16 State Gazette of 2016 No. 1829.
the issue of consumer' data protection since Indonesia still does not have an adequate set of regulation concerning the data protection.Although the government responded by issuing two regulations on Fin-tech services, the nature on Fin-tech services demanded on flexible business ecosystem including its mechanism of processing consumer's data still needs to be equipped by an adequate protection of consumer's data and to support consumer confidence in this business.Therefore, the government approach on its Sandbox policy towards Fin-tech services should be more strengthened by involving multi stakeholders.
11 of 2008 on Information and Electronic Transactions and its derivation namely The Government Regulation Number 82 of 2012 on Organizing Electronic System and Transaction and the Regulation of the Ministry of Information and Communication Number 20 of 2016.